HTC has gone ahead and confirmed a security flaw in a handful of Android phones that expose the WiFi passwords of the networks they are connected to.
HTC Thunderbolt, EVO 3D, Desire, Sensation & Incredible leaking WiFi passwords
First discovered in September last year by researchers Chris Hessing and Bret Jordan, they had found that any Android application on an affected HTC handset with the android.permission.ACCESS_WIFI_STATE permission would be able to call upon the .toString() command in the WifiConfiguration class to view all credentials of a Wi-Fi network.
HTC has confirmed that the following Android phones are vulnerable to this: HTC Desire HD, HTC DROID Incredible, HTC Thunderbolt 4G, HTC Sensation, HTC Desire S, HTC EVO 3D and the HTC EVO 4G. The report found that both the Google Nexus One (built by HTC) and the myTouch 3G remain unaffected.
HTC has posted the following message on their site to warn owners: “HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades.However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.”